67 lines
2.0 KiB
Nix
67 lines
2.0 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
|
inherit (import ./common.nix config) bitwarden-env sp;
|
|
in
|
|
{
|
|
options.selfprivacy.modules.bitwarden = {
|
|
enable = lib.mkOption {
|
|
default = false;
|
|
type = with lib.types; nullOr bool;
|
|
};
|
|
location = lib.mkOption {
|
|
default = "sda1";
|
|
type = with lib.types; nullOr str;
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
|
|
fileSystems = lib.mkIf sp.useBinds {
|
|
"/var/lib/bitwarden" = {
|
|
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
|
|
options = [ "bind" ];
|
|
};
|
|
"/var/lib/bitwarden_rs" = {
|
|
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
|
|
options = [ "bind" ];
|
|
};
|
|
};
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
dbBackend = "sqlite";
|
|
backupDir = "/var/lib/bitwarden/backup";
|
|
environmentFile = "${bitwarden-env}";
|
|
config = {
|
|
domain = "https://password.${sp.domain}/";
|
|
signupsAllowed = true;
|
|
rocketPort = 8222;
|
|
};
|
|
};
|
|
systemd.services.bitwarden-secrets = {
|
|
before = [ "vaultwarden.service" ];
|
|
requiredBy = [ "vaultwarden.service" ];
|
|
serviceConfig.Type = "oneshot";
|
|
path = with pkgs; [ coreutils jq ];
|
|
script = ''
|
|
set -o nounset
|
|
|
|
token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})"
|
|
if [ "$token" == "null" ]; then
|
|
# If it's null, empty the contents of the file
|
|
bitwarden_env=""
|
|
else
|
|
bitwarden_env="ADMIN_TOKEN=$token"
|
|
fi
|
|
# TODO revise this permissions mode
|
|
install -m 0640 -o vaultwarden -g vaultwarden -DT \
|
|
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
|
|
'';
|
|
};
|
|
systemd.tmpfiles.rules = [
|
|
"d /var/lib/bitwarden 0777 vaultwarden vaultwarden -"
|
|
"d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -"
|
|
"f ${bitwarden-env} 0640 vaultwarden vaultwarden - -"
|
|
];
|
|
};
|
|
}
|